none
Setting specific right access to a shared folder

    Question

  • Hi everyone,

    I'm currently trying to share a folder to the users of my domain with some specific rights.
    The users are remotely logging on via Remote Desktop to one server running Server 2008 R2 (named Server1) to access one application installed on it. I have set up a logon script (via gpedit) to automatically map a drive stored on another server (named Server2) also running under Server 2008 R2. This script is creating a drive like \\Server2\HomeFolders\<Username>. <Username> as you can guess is the login of the user and the script automatically sets the mapped drive to this location. That way, the users can put their own data in this folder.

    My question: is there a way to prevent any user to open the home folder of other users (\\Server2\HomeFolders\<Username>) except his own home folder?
    I've tried to set only read access to the entire shared folder \\Server2\HomeFolders, but the other users can navigate through my personal folder and open my files :-(. Also, I do not want to set the rights folder by folder, it would take me lots of time as I have lots of users...

    Thanks in advance for your help!
     

    Sunday, May 06, 2012 6:46 PM

Answers

All replies

  • Share level permissions - Everyone full permission and remove all others

    On the file/folder level set the following:

    authenticated users special permissions on the root of the \\<server>\homeshare\ to

    Check the boxes next to the following:

    • Traverse folder / execute file
    • List Folder / read data
    • Read attributes
    • Read extended attributes

    All other boxed leave unchecked and make sure you apply "This Folder Only"

    Domain Adminsfull rights and apply “this folder, subfolders, and files”

    This will block the users from accessing other user home directories.

    When you create the new user and set the home directory it will create the folder for you with the correct permissions.

    Source- http://community.spiceworks.com/topic/157499-home-drive-permissions

     Sachin Gadhave (MCP, MCTS)

    View Sachin Gadhave's profile on LinkedIn

    Sunday, May 06, 2012 6:57 PM
  • Hi,

    You cannot avoid applying permissions on a per folder basis.

    For the parent folder (\\Server2\Homefolders), the users will need just List access to that folder (not subfolders and files, as per the default in the drop-down list) and at least Modify access on the share. That way, if a user tries to click on a user folder other than their own, they will receive an access denied error.

    For the users folders, users will need to have explicit permissions defined on it that applies to it, subfolders and files. Whether this is change or full access is up to you.

    Cheers,
    Lain

    • Edited by Lain Robertson Monday, May 07, 2012 3:16 AM Correction to do with the share permission.
    Monday, May 07, 2012 3:14 AM
  • Hello,


    --- Also, I do not want to set the rights folder by folder, it would take me lots of time as I have lots of users...

    I’m afraid you have to.


    Usually, we’d set Full Control for Everyone in Share Permission and then restrict the access by configuring NTFS rights. In your case, I would give everyone full control in Share Permission, give browse folder contents permission to the parent folder in NTFS. And then, under NTFS rights for the sub-fonder, just add the corresponding user full control. Now, one user have full control to the respected folder and receives Access Denied error when trying to access someone else’s.


    Some related links:

    Planning Access to Shared Folders
    http://technet.microsoft.com/en-us/library/cc787768(WS.10).aspx

    Windows 2003 NTFS and Share Permissions
    http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml


    Thanks
    Zhang


    Monday, May 07, 2012 6:03 AM
  • My question: is there a way to prevent any user to open the home folder of other users (\\Server2\HomeFolders\<Username>) except his own home folder? 

    I Mean as soon as user logged into the system a new folder have to be created on his name ?

    script to MapNetworkDrive to user name? Correct me, if I am wrong.


    Regards, Ravikumar P

    Monday, May 07, 2012 6:37 AM